Why would UK FTSE 350 companies wait for the MI5 and GCHQ to offer free assessments of their cyber defences?

I was reading an article last night that appeared on the The Telegraph website about UK FTSE 350 companies being offered a free assessment of their cyber defences.

This new initiative is called the “Cyber Governance Health Check” and is being run under the auspices of the UK Government’s wider Cyber Security Strategy. The heads of MI5 and GCHQ, plus Universities Minister, David Willets, have all written a letter to the chairs of the UK’s FTSE 350 companies, inviting their organisations to participate.

The aim of the new initiative is to ‘make the UK one of the safest places in the world to do business’, according to The Telegraph.

Each organisation that agrees to participate will undergo an assessment of their cyber defences and then receive a report of the results. This report will enable an organisation to compare their results against their peers, helping them to make informed decisions about how they then can plug any vulnerabilities discovered.

But shouldn’t FTSE 350 companies already be undertaking pen tests or information security risk assessments anyway? Not only does the Government going to this effort suggest that organisations don’t really understand cyber security, it also poses the question of how are FTSE 350 organisations currently protecting their information assets?

Instead of waiting round for MI5, GCHQ and the UK Government to test their cyber defences, organisations should be proactively managing the risks posed from cyberspace. Organisations can cost effectively hire penetration testers to test their cyber defences. Alternatively, organisations can train a member of staff to undertake pen tests or gain the skills necessary to undertake security risk assessments by reading books.